Thoughts about Passwords

I’ve been thinking lately about the problems that exist with usernames, passwords, email addresses, personal data, and the implicit trust we place in web services that they will keep this information secure.

With recent high profile flaws and hacks (Heartbleed, and eBay to name my main concern points) I’ve been thinking about the best way for me to protect myself from these kind of issues, and more generally around the privacy issues of sharing all of this information between many different services.

In the majority of these cases, the problem is that peoples’ details are stolen, and the danger is that if the same password has been used on multiple sites, that information could lead to misuse of services, fraud, identify theft, or stolen money.

Now, holding my hand up here, I’m not very good at varying my passwords. I have a few that I cycle through, but many are the same. I’ve thought about using a password manager, but I can’t get over the idea of them only really working on computers that I’m able to store the software on. Seeing as I use several computers (some which I’m not allowed to install software on,) I don’t think that it’s going to work out for me in the long run.

Nor do I use two factor authentication apart from on my bank account (mostly because it is quite often not available and also an inconsistent experience across services.)

In short, as someone who should no better, I can’t be bothered most of the time – but I want to be.

It occurred to me recently that the reason that these issues are so critical is not because someone has been able to see what customers have bought at office.com, but because the customers can be identified – not from their username and password, but from their email address; and if you can be identified, you can identified else where too – and if the hacker is lucky, it will be the same password.

The important thing to note is that the problem is not because the passwords are the same, but because both the user’s “persona” and password are the same. By “persona”, I’m referring to the data that is used to tie a user entity to a real world squishy person – in most cases, this is the user’s email address.

In short, the problem is that the email address and the passwords are the same across multiple services.

Password rotation and variation is one way to get around this problem, but it’s an unpopular one, and one that is complicated enough to spawn its own economy of password managers.

But, another solution is this: Use different email addresses across services.

It becomes harder to consistently identify someone if they continually present a different persona.

The Problem

This, in itself, presents a problem: How can you ensure that you can remember all of those usernames?

The answer is that you cannot.

Nor am I trying to nurture a new economy in “Username manager” software; but I believe that there is a compromise to this too.

The Compromise

“It’s what I call the … circle of trust”

Here’s my suggestion:

Divide your online services into groups of services, in which you have to give a certain level of trust (or distrust.)

Create an online persona for each of these groups.

Do not share the persona across groups.

An Example

Group 0 – Most Required Trust Level:

Online Banking

PayPal

Group 1 – High Required Trust Level:

Facebook

Twitter

Group 2 – Trusted Web Shopping:

eBay (cough)

Amazon

Group 4 – Untrusted Services

Other services that you don’t fully trust – trial services, etc.

I’ve been quite expansive with this example, and you may not choose to break it out in this way. The decision about how to break out the groups is your own to make. This in itself may be a benefit, as it fuzziness the search space for crackers.

Pros

Reduced levels of risk regarding identity theft

Reduced email noise – only check the email accounts you want to check on a regular basis

Cons

Increased number of email accounts that require checking (Retort: Most email clients support multiple accounts, and apart from the initial setup, this should not cause a significant long running problem.)

Inability to use Single Sign-On functionality across groups – i.e. No “Sign In With Facebook” outside of Group 1. (Retort: To me, this is a plus – I’m not a fan of handing over access to my Facebook, or pointers to my friends information either.)